使用 Sonatype nexus 控制对 docker 注册表的访问

Question

In our current setup we are do proxy to entire docker hub to pull the images, but what we want is limit this proxy to only official indexes like ubuntu, apache etc. During configuration of repository there was this option to set custom index for the repository, so my two questions are :

• With this custom index option will I be able to achieve what I explained above?
• If yes, then from where I should get the URL for custom index. so far I tried using https://hub.docker.com/_/centos/ for centos but it didn't worked.

Please suggest how to go about this.

Answer 1

Yes, you can use a custom index to limit what's available in your repo. To achieve that you have to deploy and maintain your own docker registry index service and use that when configuring your docker proxy repository.

However, an easier solution would be to use a content selector to limit what's allowed to be access via your docker proxy repository while still using Docker Hub with it's original index.

Using the simplified content selector solution is a bit hacky, but might work for you. Essentially you have to provide a whitelist (or a blacklist) in a form of a regex. The implication of this solution is that users of your registry will still be able to search for any available image, because you can keep using the Docker Hub's index for simplicity.

1. Create a docker proxy repository pointing to the Docker Hub.
2. Create a content selector with a white/black list of images, eg. path =~ '^/v2/library/(alpine|ubuntu).*$' will only allow alpine and ubuntu to be downloaded.
3. Create a new privilege of type Repository Content Selector .
4. Create a role containing the above privilege.
5. Create a user with an above role.

Now, the user you have created shall log into your registry, eg. $ docker login nexus.local:8085 . That user will be authorised to pull both alpine and ubuntu (based on the content selector from step 2), but will fail to download anything else.

A sample succesful pull: $ docker pull nexus.local:8085/alpine Using default tag: latest latest: Pulling from alpine Digest: sha256:0873c923e00e0fd2ba78041bfb64a105e1ecb7678916d1f7776311e45bf5634b Status: Image is up to date for nexus.local:8085/alpine:latest

A sample failed pull: $ docker pull nexus.local:8085/postgres Using default tag: latest Error response from daemon: unauthorized: access to the requested resource is not authorized

Answer 2

we are do proxy to entire docker hub to pull the images, but what we want is limit this proxy to only official indexes like ubuntu, apache

What I did was:

• Create a routing rule
  • Mode: ALLOW
  • I wanted only alpine and centos so I created two matches with:
    • ^/v2/library/centos.*$
    • ^/v2/library/alpine.*$
• Go to configuration of the docker proxy repository
  • Go to Routing Rule
  • And pick the routing rule you created.

That way all except centos and alpine are available from that docker proxy repo. Pulling anything else results in "manigest unknown" error from docker.